usertype Sessionkey;
usertype Keypart;
secret k: Function;
const f: Function;

/*
 * Gong nonce based alternative
 *
 * Boyd & Mathuria: Protocols for authentication and key establishment
 * (2003) p. 101
 */

protocol gongnonceb(I,R,S)
{
	role I
	{
		fresh ni: Nonce;
		var nr: Nonce;
		fresh ki: Keypart;
		var kr: Keypart;

		send_1 (I,S, I,R, { I,S,I, ki, R }k(I,S), ni );
		recv_4 (S,I, { S,I,R,kr,I }k(I,S), { R,I,ni }f(ki,kr), nr );
		send_5 (I,R, { I,R,nr }f(ki,kr) );

		claim_6 (I, Secret, ki);
		claim_7 (I, Secret, kr);
		claim_8 (I, Nisynch);
		claim_9 (I, Niagree);
	}	
	
	role R
	{
		var ni: Nonce;
		fresh nr: Nonce;
		fresh kr: Keypart;
		var ki: Keypart;

		recv_2 (S,R, I,R, { S,R,I, ki, R }k(R,S), ni );
		send_3 (R,S, { R,S,R,kr,I }k(R,S), { R,I, ni }f(ki,kr), nr );
		recv_5 (I,R, { I,R,nr }f(ki,kr) );

		claim_10 (R, Secret, ki);
		claim_11 (R, Secret, kr);
		claim_12 (R, Nisynch);
		claim_13 (R, Niagree);
	}

	role S
	{
		var ni,nr: Nonce;
		var ki,kr: Keypart;
		var T;

		recv_1 (I,S, I,R, { I,S,I, ki, R }k(I,S), ni );
		send_2 (S,R, I,R, { S,R,I, ki, R }k(R,S), ni );
		recv_3 (R,S, { R,S,R,kr,I }k(R,S), T, nr );
		send_4 (S,I, { S,I,R,kr,I }k(I,S), T, nr );
	}
}


const kpe: Keypart;
const ke: Sessionkey;